Learn to walk the compliance tightrope, or prepare to pay significant penalties.
Make no mistake: As a chiropractor, you are a full-fledged member of the professional healthcare community.
This is a tremendous honor, and with it comes considerable responsibility. It means you are subject to the same rules of the road that apply to all other healthcare providers.
For too long, chiropractors have presumed that they are under the radar with respect to bureaucratic guidelines and federal regulations. But especially if you bill third-party payers, in the eyes of the law you’re fully culpable and responsible for regulatory compliance.
The matter is more than academic. The Office of Inspector General (OIG) has specifically turned its attention toward chiropractors and is planning to start making examples out of regulatory scofflaws with fines, clawbacks, and potentially jail time. You don’t want to be caught flouting the rules.
Risks across the board
There are plenty of places to go wrong as a provider, some more fraught with risk than others. For example, the IRS is always happy to pounce on the unwary. The Centers for Medicare and Medicaid Services (CMS) expects you to understand the Byzantine complexities of their system. OSHA and the Americans with Disabilities Act of 1990 (ADA) have snared many an unwary business.
And then there’s the EHR incentive program established by the HITECH Act. Even if you missed the opportunity to qualify for payments through “meaningful use” of EHR software, we’re now entering the penalty phase where Medicare reimbursements will start to decline for those not using a certified EHR system.
One of the most rigorous and complex laws you have to grapple with is the Health Insurance Portability and Accountability Act (HIPAA). Established in 1996, HIPAA was intended to safe-guard patient records and ensure the privacy of patient information. In 2013, the Department of Health and Human Services (HHS) released the HIPAA Omnibus Rule, which modified, strengthened, and expanded certain provisions under HIPAA.
The Omnibus Rule reflects public and professional input to HHS and captures lessons learned through HIPAA implementation by healthcare professionals. Critically, it recognizes that computer security is a far more pressing issue today than it was at the time of HIPAA’s creation.
More than portability
Those unfamiliar with the HITECH Act and HIPAA will find the process of complying with their requirements to be daunting, but it can be done. If you’re already working on achieving or maintaining compliance, you’ll find it to be easier. But these are dynamic, changing programs that require constant monitoring and attention.
Regarding HIPAA, the law’s original intent was to help workers maintain insurance coverage in the event of changing jobs, and to constrain insurers from enacting pre-existing exclusion penalties on such workers and their families. It also aimed at preventing healthcare fraud and abuse.
It was the Privacy Rule enacted in 2003 that has become the teeth of the law. It established three key concepts: protected health information (PHI), covered entities—those to whom HIPAA law applies, and business associates (BAs).
As you likely know, the Privacy Rule allows covered entities to disclose PHI without a patient’s written consent, if such disclosure is needed to provide medical treatment, payment, or other healthcare operations. The HIPAA forms you have patients sign during the new-patient process explain how and how they prefer to be contacted.
Should a patient believe that the Privacy Rule was violated, he or she can contact HHS and file a complaint, which will likely trigger an audit of the practice in question.
Let’s get physical
Covered entities under HIPAA are responsible for enacting physical safeguards. Even though these are only a small part of a HIPAA compliance program, violations in this area are likely to generate a complaint if noticed by patients.
You and your staff should regularly walk through your front door and view your practice through a patient’s eyes. Look for things a patient isn’t supposed to see—namely, PHI.
Sign-in sheets are OK if they only have patients’ names and times listed. Any health condition or billing data, however, is a violation if shown.
Watch for X-rays left on view boxes where other patients might see them. Check common therapy areas for charts or travel cards. If you use door pockets or wall holders, they could be problematic if they are clear plastic or too short to cover records completely.
It may not be reasonable to lock all non-patient areas against entry, but your recordkeeping and chart vicinities should be marked “staff only” or similar to dissuade accidental entry.
Let’s get digital
Where you’re likely to struggle most is in the area of electronic record security. You’ve seen the stories about major retailers, insurers, and even the government being hacked and having records stolen. HIPAA demands you erect robust safeguards for your data.
To be sure, medical practices are a ripe target for data theft, because patient records tend to contain all the information needed for ID theft and third-party fraud. Worse, without protections in place, if your digital records are stolen, you might not become aware of it until long after the damage is done.
On the black market, medical records can be used to create fake insurance cards and, in the U.S., to set up credit accounts and apply for Medicare reimbursement for wheelchairs and oxygen tanks, which can be resold.
Therefore HIPAA requires that your patient data be encrypted, particularly prior to transmission. You need to have good password security, and monitor your network activity.
In addition, you are required to have reminders to your staff throughout the year. Members of your team with access to PHI should be regularly reminded to guard passwords and change them periodically, to turn off computers at day’s end, and so forth.
You need to have a named compliance offer with an assigned job description. Other companies you interact with that handle your records, including EHR software vendors, cloud server hosts, accountants, and billing services, need to have a BA agreement with you that states they are also in compliance with HIPAA. Any person or entity that stores, transmits, or has access to your data is a BA. The contract may not absolve you of responsibility entirely in the event of a breach, but it will help.
Central to your data security is your practice’s risk analysis. This is a thorough examination of every portal through which access to PHI exists, and how you have taken steps to guard it. It also contains your written policies regarding how your data is protected and how you’ll report a security breach in the event one occurs.
You also need a contingency plan that outlines your procedures for data recovery in the event of a loss, and an emergency mode operations plan to show how you will operate during a crisis resulting from vandalism, fire, or other failure that damages your systems containing PHI.
What’s more, HIPAA now requires you to have an information systems activity review. Your computer systems must produce a log showing what records are accessed and by whom. By documenting that you review this log, you can prove to an auditor that you actively guard your data.
You’ll need other policies and documents to demonstrate full compliance, but these are some of the largest and give you a sense of your considerable obligations.
It should be clear that all of your actions, polices, and employee training programs must be documented, signed, and dated; otherwise in the eyes of an auditor they won’t exist.
How long it will take you to achieve full HIPAA compliance depends on how many steps you have already taken. Most medical practices have patient consent forms, computer security, and some level of PHI protection as a matter of course. HIPAA has been in effect nearly 20 years.
Where most DCs go astray is in not keeping current with the program and failing to review and update policies and documentation. If you have major gaps in your compliance program, take steps to correct them now. Regular efforts of only a few hours a week can add up to a compliant program sooner than you might think. Once in place, your program should require only a few hours of attention a month.
Prepare for inspection
The OIG side of compliance is also critical. This office was established to prevent fraud and abuse in Medicare. They look for patterns of misconduct and improper coding and billing. It’s little surprise that DCs have been named as repeat offenders and are subject to extra scrutiny in this area.
OIG compliance programs are now required as a part of the Affordable Care Act. The OIG hasn’t established a deadline for implementation, but the wise DC will enact an OIG compliance program as soon as practicable.
There are four areas your program should address:
- Ensure you are billing only when medically necessary.
- Ensure you meet the guidelines for proper documentation with whoever you’re billing.
- Actively look for billing and coding errors and correct them.
- Identify billing inconsistencies in your fee schedules to guard against dual billing, improper hardship rates, etc.
If you document your activities with respect to the above items, you’ll have a sound footing to demonstrate to an auditor that you are complying with OIG guidance. The goal is that your practice be self-policing for adherence, and that staff members who need to report a potential OIG violation can do so safely without fear of retaliation.
It is recommended to have your staff sign a code of conduct that acknowledges the importance of recognizing and reporting lapses or errors in conduct.
As should be evident by now, the key words are document, document, document. A government or private-party auditor should be able to review your written policies and find proof that you are actively implementing them and keeping them up-to-date.
What you don’t want is for an auditor to find a dusty binder on a shelf or in a drawer. Yes, compliance is a burden, but there’s a bright side: It can save you money. First, surviving an audit successfully means you avoid penalties, fines, increased oversight, and payment clawbacks. Second, careful compliance often uncovers areas where you can bill for services, adding to your bottom line.
Ultimately, compliance will improve your processes, safeguard you from trouble, protect your patients and their data, reduce your legal exposure, and help you sleep better at night.
NOTE: We would like to thank Ty Talcott, DC, CEO of HIPAA Compliance Services; Kathy Mills Chang, MCS-P, president of KMC University; Stephanie Higashi, DC, CEO and founder of Health Atlast; and Paul R. Hales, JD, a HIPAA law specialist and founder of hipaaetool.com, who contributed to this article. — eds.